We would like to perform HP 2530 hardening, but some options seems to be missing in current firmware.
For HTTPS we were unable to:
1. Disable all protocols except TLSv1.2.
2. Enable forward secrecy key exchange: ECDHE (with P-521 or Curve25519) or DHE with 4096 dhparam instead of non-FS RSA key exchange.
3. Disable 3DES_EDE_CBC cipher (grade C in Qualys SSL Server Test).
4. Enable AEAD ciphers like AES_256_GCM, AES_128_GCM or CHACHA20_POLY1305.
5. Disable Secure Client-Initiated Renegotiation.
For SSH we were unable to:
1. Replace diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 with diffie-hellman-group-exchange-sha256.
2. Replace existing MACs with hmac-sha2-256.
Firmware used: YA.15.16.0008.
Can we expect support for modern cipher suites will appear in HP products?
#ssh#compliance#security#hardening#https